Impact
The restricted pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the upstream restricted policy provided in Kubernetes, in which Rancher's PSP has runAsUser set to runAsAny, while upstream has runAsUser set to MustRunAsNonRoot. This allows containers to run as any user, including a privileged user (root), even when Rancher's restricted policy is enforced on a project or at cluster level.
A new restricted-noroot PSP was created to prevent pods from running as root when this policy is enforced. This new policy was introduced, instead of patching the current provided restricted policy, in order to avoid breaking users' workloads that are using the restricted PSP and that might be running as a privileged user.
Note: Running containers as root increases the risk of a compromised container being used by a malicious actor as an attack platform to further exploit the user's environment. It is a security best practice to avoid running containers as a privileged user and to limit its usage to workloads where it is strictly necessary.
Patches
Patched versions include release 2.6.4 and later versions. The existing restricted PSP in Rancher 2.6.4 was not modified and still allows containers to run as a privileged user, as explained above. This fix was not backported to previous releases.
For Rancher 2.6.4 and later releases, users using the current restricted PSP and that want to prevent containers from running as root, are advised to migrate to the new restricted-noroot policy. Before doing this migration, it is necessary to verify if affected workloads are currently running as a privileged user and modify them accordingly to the users' own environment to run as a non-privileged user. A redeployment of the affected workload is necessary in order for the new PSP to take effect.
Workarounds
For users running Rancher 2.6.3 and previous releases, which did not received this backport and that want to benefit from this fix, they can manually create a new restricted-noroot PSP on their clusters through Rancher UI. The template of the restricted-noroot policy provided in Rancher 2.6.4 is available in the source code. As a reminder, it is also necessary to manually verify and redeploy the running workload before enabling a more restricted pod security policy.
References
For instructions on how to configure pod security policies using Rancher, please refer to the documentation page. For more information on PSPs in Kubernetes, please refer to the Kubernetes documentation (permalink).
Important reminder: Pod security policies are considered deprecated since Kubernetes v1.21, and will be removed in Kubernetes v1.25. Consult Kubernetes' documentation (permalink) regarding how to migrate from PodSecurityPolicy to Kubernetes' built-in PodSecurity Admission Controller. For the list of supported Kubernetes versions in Rancher, please consult our support matrix.
For more information
If you have any questions or comments about this advisory:
Impact
The
restrictedpod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the upstreamrestrictedpolicy provided in Kubernetes, in which Rancher's PSP hasrunAsUserset torunAsAny, while upstream hasrunAsUserset toMustRunAsNonRoot. This allows containers to run as any user, including a privileged user (root), even when Rancher'srestrictedpolicy is enforced on a project or at cluster level.A new
restricted-norootPSP was created to prevent pods from running asrootwhen this policy is enforced. This new policy was introduced, instead of patching the current providedrestrictedpolicy, in order to avoid breaking users' workloads that are using therestrictedPSP and that might be running as a privileged user.Note: Running containers as
rootincreases the risk of a compromised container being used by a malicious actor as an attack platform to further exploit the user's environment. It is a security best practice to avoid running containers as a privileged user and to limit its usage to workloads where it is strictly necessary.Patches
Patched versions include release 2.6.4 and later versions. The existing
restrictedPSP in Rancher 2.6.4 was not modified and still allows containers to run as a privileged user, as explained above. This fix was not backported to previous releases.For Rancher 2.6.4 and later releases, users using the current
restrictedPSP and that want to prevent containers from running asroot, are advised to migrate to the newrestricted-norootpolicy. Before doing this migration, it is necessary to verify if affected workloads are currently running as a privileged user and modify them accordingly to the users' own environment to run as a non-privileged user. A redeployment of the affected workload is necessary in order for the new PSP to take effect.Workarounds
For users running Rancher 2.6.3 and previous releases, which did not received this backport and that want to benefit from this fix, they can manually create a new
restricted-norootPSP on their clusters through Rancher UI. The template of therestricted-norootpolicy provided in Rancher 2.6.4 is available in the source code. As a reminder, it is also necessary to manually verify and redeploy the running workload before enabling a more restricted pod security policy.References
For instructions on how to configure pod security policies using Rancher, please refer to the documentation page. For more information on PSPs in Kubernetes, please refer to the Kubernetes documentation (permalink).
Important reminder: Pod security policies are considered deprecated since Kubernetes v1.21, and will be removed in Kubernetes v1.25. Consult Kubernetes' documentation (permalink) regarding how to migrate from PodSecurityPolicy to Kubernetes' built-in PodSecurity Admission Controller. For the list of supported Kubernetes versions in Rancher, please consult our support matrix.
For more information
If you have any questions or comments about this advisory: